Active Directory Setup

The following instructions walk you through setting up the TimeForce program for Active Directory login.
Note: Before performing the following steps you must first configure Internet Information Services (IIS). See Active Directory Configuration for more information.

System Settings

Specify the following settings in the "System Setup" section of the TimeForce program:

  1. Log into the TimeForce program normally. If you are prompted for a Windows username and password before the login screen appears, this means that permissions need to be set for "Read" access on the "C:\Inetput\wwwroot\qqest\" directory.
    Note: Adding "Read Access" to the "Everyone" group will ensure that all users can access the program. However, your IT staff should decide how access rights to the Qqest directory should be granted.

  2. Once logged into the program, click on the main "Admin" navigation tab, and then on the Settings link located in the System Tools section of the screen.

  3. Click on the Edit link located under the System Setup heading.

  4. Browse to the Active Directory/LDAP Integration section of the screen. Put a check mark in the "Enable Active Directory/LDAP Integration" option. Additional setting appear.

  5. In the Connection String field, click on the Suggest link. If the Web Server is part of the Active Directory, the LDAP string will be populated automatically. If not, you will receive an error indication that the Web Server cannot access the Active Directory. In this case, the IP address of the LDAP server should be entered.

  6. Specify a Connection Username and a Connection Password. Often, a system admin will create an Active Directory account specifically for TimeForce and this purpose. The only requirement is that the user has the ability to read the Active Directory users who are using TimeForce.

  7. With the connection username and password specified, click on the Test link in the Test Connection field. This will determine if a connection to the Active Directory or LDAP server has been established.

    • If the connection to the Active Directory was successful, a message indicating successful connection for manual and auto logins appears.

    • If you are using LDAP over Active Directory, the message will most likely indicate that you can only use a manual login.

    • If the connection string or username/password is incorrect, a message will appear indicating that successful connection could not be established.

  8. If you wish to use Auto Login and to test that the login is successful, click on the link in the LDAP Auto Login field.

    • This link should read: "http://{WEBSERVER}/qqest/Login/Autologin.asp?c={COMPANYCODE}"

    • Failure to specify the appropriate Company Code will result in an error when logging into the system.

    • This URL does not require any credentials to be specified. The Windows Credentials that were used when they logged into their computer are used to authenticate TimeForce automatically.

    • Users will now use this link to access TimeForce instead of the default login page. Program shortcuts should be modified appropriately.

  9. If you would like employees to login to TimeForce using their LDAP credentials, test the login by clicking on the link in the LDAP Manual Login field.

    • This link should read: "hhtp://{WEBSERVER}/qqest/Login/LDAP.asp?c=[COMPANYCODE}"

    • Failure to specify the appropriate Company Code will result in an error when logging into the system.

    • Users will not use this link to access TimeForce instead of the default login page. Program shortcuts should be modified appropriately.

  10. To determine the format of the username when using LDAP login, the system administrator should choose between "userPrincipalName" and "sAMAccountName" in the LDAP Login Format field.

    • Specifying "userPrincipalName" requires that users logging in would have to enter their username as "{USERNAME}@{DOMAIN}." If the LDAP Default Domain is specified, only the username must be entered.

    • Specifying "sAMAccountName" requires that users logging in would have to enter their username as "{DOMAIN}\{USERNAME}" If the LDAP Default Domain is specified, only the username must be entered.

  11. Specify the LDAP Default Domain, if desired. See the notes of step #10 above for more information.

  12. Click on the [SAVE SETTINGS] icon in either the upper or lower right-hand corners of the screen to save the changes that you have made.

Assigning Active Directory Access to TimeForce Users

Before TimeForce users will be able to log in, you must first assign them to the appropriate Active Directory user account.

  1. From the main "Admin" tab, click on the User Security link located under the System Tools section of the screen.

  2. Enter the desired search criteria to bring up the users that you would like to assign to an Active Directory account. Clicking on the [DISPLAY] icon without specifying search criteria will bring up all users in the system.

  3. From the list of displayed users, click on the link in the User Name column. The User Info screen appears to the right.

  4. The LDAP/AD User field appears in the list of displayed user settings. Select the appropriate account from the drop-down menu, and click on the [UPDATE] icon.

  5. Repeat these steps for each desired TimeForce user.

Once an Active Directory account is applied to a TimeForce user, the Active Directory username is listed instead of the TimeForce username. This name will appear in green. A username in red indicates that the user will not be able to log in. Either the username is wrong, or the System Settings connection does not allow access to that particular user.

You should now be able to log in using one of the URL's from steps 8 or 9 in the "System Settings" section above. Remember that all shortcuts to the TimeForce program must be modified to use one of these two new URL's.